Trialware

Interested in Symantec's Enterprise Software Solutions?

Flamer Threat

Highly sophisticated and discreet, the Flamer threat contains code that is on par with Stuxnet and Duqu in complexity. It appears to be the work of a well-funded group targeting Eastern Europe and the Middle East.

Flamer Threat

On May 28th Symantec released its analysis of a threat called Flamer. Flamer is a highly sophisticated threat, using multiple components that cleverly conceals its malicious functionality. The complexity of the code within this threat is commensurate with that seen in Stuxnet and Duqu, arguably the two most complex pieces of malware we have analyzed to date. The modular nature of this malware suggests that a group of developers have created it with the goal of maintaining the threat over a long period of time; very likely along with a different set of individuals using the malware. The architecture being employed by W32.Flamer allows the authors to change functionality and behavior within one component without having to rework or even know about the other modules used by the malware controllers. Changes can be introduced as upgrades to functionality, fixes, or simply to evade security products.

While our analysis is currently ongoing, we've determined that the primary functionality of Flamer is to obtain information and data. The threat is not wide-spread. Indications are that the targets of the threat are located primarily in Eastern Europe and the Middle East. The overall functionality includes the ability to steal documents, take screenshots of users' desktops, spread through removable drives, and disable security products. This functionality is not unique and by itself would not make Flamer significant. But when combined with the complexity of the code, the identified targets, and the possible link to recent threats described by the Iran National CERT, see below, Flamer becomes a very noteworthy threat.